What is Social Engineering?
Social engineering is a deceptive tactic used to manipulate individuals to give confidential and/or personal information. As a result, hackers may use this information to perform fradulent or malicious activity. Social engineering relies on human nature and interaction, taking advantage of your trust by manipulating you to commit cybersecurity mistakes.
Social engineering often occurs by asking a few simple questions while claiming to be a trustworthy individual or group. Watch this video by Jimmy Kimmel Live to see how Jimmy Kimmel’s teams reveals people’s passwords with social engineering:
How Does Social Engineering Occur?
In social engineering, cyber criminals exploit human nature and take advantage of your trust to conduct a scam. Social engineering occurs in four steps:
- Information gathering
- Relationship development
- Exploitation
- Execution
To start off the information gathering, 91% of cyber-attacks start with a phishing email. Cyber hackers send links or files to employees to take over the computer network or release malware into your organization’s network. While the cyber hacker is in the system, they can spend months gathering the information, credentials, and protocols relevant to the organization’s employees and actions.
After gathering your information, cyber attackers impersonate an employee or upper-level executive to trick their victims. By pretending to be an individual within the organization, the cyber hacker can then request for money transfers, taking advantage of an employee’s negligence or ignorance.
Types of Social Engineering
Impersonating a trustworthy individual or company is only one type of social engineering. Social engineering comes in various forms such as:
- Phishing: When hackers send fraudulent emails that appear to be from reputable companies to encourage you to reveal personal information and data.
- Baiting: When someone leaves a portable storage device such as a USB or laptop to lure a victim into opening to find what is on the device. The portable device often stores malware or a virus that exposes personal and/or financial information to the hackers.
- Tailgating (also known as piggybacking): When there is a physical breach of an unauthorized individual following an authorized individual into a secured location.
- Scareware: When a potentially unwanted application (PUA) or rougeware appears to be legitimate by impersonating a security system or software.
- Spoofing: When a hacker pretends to be someone or something else to gain your trust, receive access to your network, steal your information, or spread malware into your systems.
With social engineering, cyber criminals impersonate close friends, large organizations like the government, or a superior within your organization. As a result, hackers can collect personal information and data after gaining your trust.
Why is it a Big Deal?
Many cyber criminals use social engineering to complete their scam and/or fraud. According to KnowBe4, only 3% of malware cyber criminals run attempts to take advantage of a technical flaw in the system. Meanwhile, the other 97% uses some type of social engineering to trick the user.
Cyber criminals use social engineering because it is both highly effective and subtle in gaining confidential information from an employee. In a survey conducted by Willis Towers Watson, social engineering fraud (specifically on financial institutions) have continued to increase exponentially over the years.

Willis Towers Watson, 2019
How to Mitigate These Attacks
To mitigate cyberattacks caused by social engineering, the most effective way is simply to educate employees about the importance of keeping confidential information private. Cyber attacks and threats caused by social engineering is often the result of insider threats – when employees unintentionally give the cyber hacker access to the company’s system.
So, to prevent social engineering from being successful, organizations must deal with the insider threat by raising awareness and teaching employees how to react to phishing emails. Employees should:
- Remain aware and suspicious of any individuals asking for personal or organizational data.
- Pay attention to website URLs by researching to see if it is the legitimate website.
- Verify authenticity by contact the company.
- Refuse to provide personal or organizational information.
- Refuse to provide login information such as username and password over email or phone.
Always remain aware of the subject you are discussing – both over email and over the phone. Furthermore, understand the importance of the information you manage. This will help keep you conscious of whether you should discuss the project or organization data with another party. Security is not a one-man job, and everyone within the organization is responsible for practicing safe cybersecurity practices.
References
- FI Observer. (2019, March 19). Social engineering – avoiding the hacker’s harpoon and phishing net. Willis Towers Watson. https://www.willistowerswatson.com/en-US/Insights/2019/03/social-engineering-avoiding-the-hackers-harpoon-and-phishing-net
- PhishMe. (2015). Enterprise Phishing Susceptibility Report [White paper]. Retrieved from https://cofense.com/wp-content/uploads/2017/10/PhishMe_EnterprisePhishingSusceptibilityReport_2015_Final.pdf
If you found this blog useful, please share with others: